Yesterday announced and today a new Intune Extension for Configuration Manager 2012 R2 was available. The extension enables us to set up conditional access for customers using Exchange Online, you are able to restrict Exchange ActiveSync for users that have their devices enrolled.

Let’s see how this works together with Exchange Online.

The first step is to enable and install the Conditional Access Extension in the Configuration Manager Console.

Enable the new extension

After enabling and installing the exentsion you see that two new nodes are added to the Configuration Manager 2012 R2 Console. Look below and you see Compliance Policies and Conditional Access.

New nodes in the console

After enabling the extension you are able to create and deploy a compliance policy which is supported by the following mobile device platforms;

Windows 8.1 and later

Windows Phone 8.1 and later

iOS 6.0 and later

Android 4.0 and later

Depending on the device type we are able to configure rules that can be remediated or not before access to Exchange Online is permitted;

Windows 8.1 and later:

PIN or password configuration can be remediated

Windows Phone 8.1 and later:

PIN or password configuration can be remediated

Device encryption can be remediated

iOS 6.0 and later:

PIN or password configuration can be remediated

Device encryption can be remediated by setting also PIN

Jailbroken device can be placed in quarantine

Email profile must be managed via Intune, if not the device is placed in quarantine

Android 4.0 and later:

PIN or password configuration can be placed in quarantine

Device encryption can be placed in quarantine

Jailbroken device can be placed in quarantine

Let’s see how we are able to configure a Conditional Access Policy and how we are able to deploy it to a device that is managed via Configuration Manager 2012 R2 that is connected to Microsoft Intune. First we need to create a Compliance Policy to configure in this demo.

Let’s first give the Compliance Policy a name.

First step is to give the Compliance Policy a name

Select the Supported Platforms, in this case iPad iOS8

Select the right platform

Next you need to configure the compliance settings for the device. The device must be compliant before access to Exchange Online is approved.

You can add the managed email profile so that the devices are checked if this profile has been installed and if it is managed by Intune.

Select the email profile

Next you can review the settings and click next to create the policy.

After the compliance policy is created you need to deploy it via Configuration Manager.

The next step is that you need to setup Conditional Access in Microsoft Intune, so you need to logon with your tenant admin.

Enable Block mail apps from accessing Exchange Online if the device is incompliant and configure the (Synced AD) groups that needs to be targeted with the conditional access.

And configure the groups of users that are allowed to be incompliant.

Device Side

A quick look at the iPad that received the Compliance Policy.

Hey there is already a non managed email profile available. You need to remove it! 🙂

We need to configure a passcode, this is mandatory within 60 minutes

No you cannot use 123456 😉

And of course when the device is not enrolled or compliant you will not be able to synchronize your email!

THe device is not compliant, enroll the device to get managed

Microsoft Intune side

When looking back at Microsoft Intune you see that three Exchange Devices are placed in Quarantine.

Three devices are in Quarantine

The devices that are in Quarantine

When you select one of the devices that are in quarantine you see why the device is in quarantine. The device called peter_iPad_1 is in quarantine because the Device is not managed by Microsoft Intune.

Information about why the device is in Quarantine

After the device is compliant you see that the device is not in quarantine anymore. Access is granted and managed by Microsoft Intune.

Technical Consultant and Enterprise Client Management (Configuration Manager/Microsoft Intune/Enterprise Mobility Suite) MVP with Microsoft partner IT-Concern with a primary focus on the System Center Suite and Microsoft Exchange. Writing blogs and sharing his knowlegde on ConfigMgrBlog.com.
Also one of the founders and leads of the Windows Management User Group Netherlands.

Peter tries to speak every year on several events like TechDays Netherlands, ExpertsLive BriForum, Midwest Management Summit and in 2013 Peter had the honor to speak at TechEd Australia and TechEd New Zealand. See more here.